Why am I getting an 'Invalid role' error when using PingFederate for SSO?
Article ID: 282893
Updated On:
Products
Issue/Introduction
The first step to troubleshoot this error is to make sure that you are passing a valid platform user role in your SAML assertion:
- cloudhealth-administrator
- cloudhealth-power
- cloudhealth-standard
Failing to do so will also result in an 'Invalid role' error when signing into the platform.
Resolution
PingFederate appends the characters 'CN=' to the specified user role within the 'roles' attribute (Ex. 'CN=cloudhealth-administrator') of the SAML assertion. This causes an 'Invalid role' error when signing into CloudHealth. To remove these extra characters you will want to add the below OGNL expression to PingFederate:
#theCNValues = new java.util.ArrayList(), #vals = #this.get("ds.memberOf").getValues(), #i = 0, #vals.{ #val = #vals[#i], #newVal = #val.toString().substring(3, #val.indexOf(",")), @[email protected](#val + " => " + #newVal), #theCNValues.add(#newVal), #i = #i + 1 }, #this.get("ds.memberOf")!=null? new org.sourceid.saml20.adapter.attribute.AttributeValue(#theCNValues):null
Feedback
